Hotels Under Attack: Hackers Pose as Guests with Poisoned ZIP Files
Phishing campaign targeting hotels in Europe and Asia uses fake complaints and legitimate services to evade security
July 2, 2026 · 5 min read
TL;DR: A phishing campaign targeting hotels uses emails with fake complaints and poisoned ZIP files to install a persistent Node.js implant, disable Defender, and collect information. The final objective is unknown but points to a larger attack.
What Happened?
Since April 2025, Microsoft Threat Intelligence has detected a phishing campaign targeting hotels and hospitality organizations in Europe and Asia. Attackers send emails to receptionists, front desk staff, and reservations with topics like guest complaints, bed bug infestations, or booking inquiries. The emails are written in Danish, Dutch, and Japanese, tailored to the local language. This linguistic segmentation is no coincidence: it reflects prior knowledge of the targets, likely obtained from leaked databases or scraping hotel websites. According to Microsoft, the campaign has affected medium and large hotel chains, though specific names have not been disclosed.
To evade authentication controls (SPF, DKIM, DMARC), attackers abuse legitimate services like Calendly and Google's redirect infrastructure. This allows them to perform "authentication washing" that makes emails appear legitimate. Technically, attackers generate Calendly links that redirect to pages they control, leveraging the good reputation of Calendly and Google domains. This is a qualitative leap from previous campaigns that used malicious domains or compromised accounts; now phishing hides behind trusted services.
The attachments are ZIP files with photo-themed names (e.g., 'room_304_photos.zip') containing .LNK (shortcut) files disguised as .PNG images. When opened, they trigger a multi-stage infection chain that installs a persistent Node.js-based implant. The choice of Node.js is unusual: most implants use PowerShell or VBS scripts; Node.js allows greater obfuscation and cross-platform capabilities. The malware modifies Microsoft Defender to exclude itself and other random executables from scanning, copying itself to multiple locations to ensure persistence. It also creates Run and RunOnce registry entries and schedules tasks.
Why Is This Important?
This campaign is significant for several reasons:
- Silent Persistence: The malware modifies Microsoft Defender to exclude itself and other random executables from scanning, copying itself to multiple locations to ensure persistence. Additionally, it disables Windows Defender notifications, making it difficult for users to notice the infection.
- Reconnaissance Capabilities: Once installed, the implant beacons to C2 servers, collects environment information (public IP, system details), launches headless browser sessions, and in some cases forces immediate system shutdowns. The use of headless browsers suggests attackers are trying to interact with internal web portals (e.g., booking systems) from the compromised machine, as if they were the legitimate employee.
- Unknown Objective: Although Microsoft cannot determine the final goal, everything points to a reconnaissance phase before a more disruptive attack, such as ransomware or data exfiltration. Historically, the hotel sector has been a target for ransomware (e.g., the MGM Resorts attack in 2023), and this campaign could be a similar prelude.
- Security Evasion: The use of legitimate services for authentication washing demonstrates increasing sophistication in phishing techniques, making detection by traditional email filters difficult. Security solutions that only check domain reputation or SPF/DKIM fail here because emails pass all verifications.
Additionally, the campaign shows an evolution from previous tactics: in 2023, similar campaigns were detected abusing cloud storage services (Dropbox, Google Drive) to host malicious files; now authentication washing is the new vector. This indicates attackers are constantly innovating to bypass email defenses.
What Will Be the Consequences?
If attackers manage to establish persistence in hotel systems, they could:
- Steal guest data (personal information, credit card details). In the EU, such a breach could result in fines of up to 4% of global turnover under GDPR. For example, Marriott chain was fined £18.4 million in the UK for a 2018 breach.
- Deploy ransomware that paralyzes hotel operations. The DarkSide ransomware, which affected Colonial Pipeline in 2021, showed how an attack can halt critical operations; in a hotel, the impact would include mass cancellations and revenue loss.
- Use compromised systems as an entry point to attack other parts of the corporate network, such as property management systems (PMS) or central databases.
- Disrupt critical services like reservations, check-in, and property management systems, causing operational chaos and reputational damage.
The economic and reputational consequences for affected hotels could be severe, including data breach fines (GDPR) and loss of customer trust. An IBM 2024 study estimates the average cost of a data breach in the hospitality industry is $3.5 million, not including brand damage. Moreover, service disruption can lead to lost bookings and cancellations, as seen in the MGM Resorts chain attack in 2023, which reported $100 million in losses.
What Should Readers Know?
Microsoft recommends organizations focus on detecting campaign behavior rather than individual indicators. Key signals include:
- ZIP files with photo themes received via email, especially from unknown or unexpected senders.
- Unusual PowerShell activity, such as script execution from temporary directories or payload downloads.
- Unexpected Node.js execution from user profile directories (e.g., %AppData%).
- .NET compilation initiated by PowerShell, which may indicate downloading tools like Cobalt Strike.
- Changes in Microsoft Defender exclusions, especially if random executable paths appear.
- Random executables running from temporary folders (C:\Users\*\AppData\Local\Temp).
- Suspicious Run and RunOnce registry entries with names mimicking legitimate processes (e.g., 'WindowsUpdate').
- Outbound connections to non-standard ports (like 8443, 4443) and newly registered .cfd domains (a rare TLD, making identification easier).
- Headless browser activity (processes like chrome.exe --headless) followed by forced shutdown commands (shutdown /s /f /t 0).
It is crucial for hotel IT and security departments to enhance staff awareness, implement advanced email filters that analyze link behavior (not just reputation), and actively monitor these behavior patterns. Additionally, restricting Node.js and PowerShell execution on non-technical user workstations and regularly auditing Defender exclusions is recommended. Staff training should include concrete examples of this type of phishing, highlighting that emails can be in local languages and appear legitimate.